[Django] #20922: Signed Cookie Session Backend Should Support Using a JSON Serializer
Django
-------------------------------+--------------------
Reporter: gwahl@… | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.5
Severity: Normal | Keywords:
Triage Stage: Unreviewed | Has patch: 0
Easy pickings: 0 | UI/UX: 0
-------------------------------+--------------------
The `django.contrib.sessions.backends.signed_cookies` session backend
should be written in a way that allows subclasses to use their own
serializer implementation. This will allow using JSON instead of Pickle to
serialize sessions.
For background, see #20444 and https://groups.google.com/d/topic/django-
developers/YwlZ9m9k1bE/discussion.
Patch to come shortly.
--
Ticket URL: <https://code.djangoproject.com/ticket/20922>
Django <https://code.djangoproject.com/>
The Web framework for perfectionists with deadlines.
Django
Reporter: gwahl@… | Owner: nobody
Type: Uncategorized | Status: new
Component: Uncategorized | Version: 1.5
Keywords: | Triage Stage: Unreviewed
Has patch: 1 | Needs documentation: 0
Needs tests: 0 | Patch needs improvement: 0
Easy pickings: 0 | UI/UX: 0
Changes (by gwahl@…):
* needs_better_patch: => 0
* has_patch: 0 => 1
* needs_tests: => 0
* needs_docs: => 0
Comment:
Pull request: https://github.com/django/django/pull/1474
Question: Should this be mentioned in the docs for this backend? An
example of a backend using JSON could be helpful.
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:1>
Django
Reporter: gwahl@… | Owner: nobody
Type: New feature | Status: new
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* type: Uncategorized => New feature
* component: Uncategorized => contrib.sessions
* severity: Normal => Release blocker
* stage: Unreviewed => Accepted
Comment:
Yes, I actually have a more extensive patch in the works.
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:2>
Django
----------------------------------+------------------------------------
Reporter: gwahl@… | Owner: timo
Type: New feature | Status: assigned
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by timo):
* owner: nobody => timo
* status: new => assigned
Old description:
> The `django.contrib.sessions.backends.signed_cookies` session backend
> should be written in a way that allows subclasses to use their own
> serializer implementation. This will allow using JSON instead of Pickle
> to serialize sessions.
>
> For background, see #20444 and https://groups.google.com/d/topic/django-
> developers/YwlZ9m9k1bE/discussion.
>
> Patch to come shortly.
New description:
The `django.contrib.sessions.backends.signed_cookies` session backend
should be written in a way that allows subclasses to use their own
serializer implementation. This will allow using JSON instead of Pickle to
serialize sessions.
For background, see #20444 and https://groups.google.com/d/topic/django-
developers/YwlZ9m9k1bE/discussion.
--
Comment:
The plan is to introduce `settings.SESSION_SERIAZLIER` in the next 1.5.x
release. It'll default to using pickle for backwards compatibility, but
the default will switch to using JSON in 1.6.
[https://github.com/django/django/pull/1488 Pull request] in progress.
An additional API has been proposed by @apollo13 to allow customizing the
serializiers a bit easier (rather than dealing with subclassing the
current serializers, having to possibly write mixins, etc.). For example,
in the existing patch `JSONMessagesSerializer` could be replaced by a
hook:
{{{
class SerializerHook(object):
handles_variables = ['variable1', ...]
def to_primitive(self, name, object):
pass
def from_primitive(self, name, object):
pass
}}}
Then in `settings.py` you'd have another setting:
`SESSION_SERIALIZER_HOOKS = ['django.contrib.messages.session_hook',
...]`
This would allow 3rd party applications to provide simple hooks for
their session stuff (although that should be rare since you generally
don't put that much logic into sessions, messages are one example of where
you still might wanna do it).
Feedback on whether or not this additional complexity is worthwhile would
be appreciated.
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:3>
Django
----------------------------------+------------------------------------
Reporter: gwahl@… | Owner: timo
Type: New feature | Status: assigned
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by akaariai):
I think the additional complexity is needed. If you happen to use two
different applications that use something more complex in sessions, you
will need that.
Some questions:
- Are model instances automatically serializable? I know they can be
serialized for fixtures...
- What if two hooks have same "handles_variables" keys? First one wins?
Chain them? ValidationError? Something else?
- If you have some object type that needs always custom serialization,
but is found from different names in the session, is there any nice way to
handle that using the above API? Maybe '*' variable? Or maybe there should
be object hook that will be called if present (json_serialize(),
json_deserialize() for example).
- What about nested structures, if you happen to have object you know
how to serialize deeply nested, how to proceed? Again object hooks would
help here.
- What happens when transitioning from Pickle to JSON? Loud failure
seems like bad option, throwing session data out seems OK. I think this
should be tested (unless it already is).
These are not meant to be "must fix" issues, it is completely OK to answer
"too complex" to some of them... In any case there will be use cases where
JSON serialization will be nearly impossible. QuerySet serialization comes
to mind here...
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:4>
Django
----------------------------------+------------------------------------
Reporter: gwahl@… | Owner: timo
Type: New feature | Status: assigned
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution:
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by timo):
1. No, model instances are not serializable using JSON. Its limitations
are noted in the documentation. An application would be responsible for
serializing the instance before storing it in a session.
2. We're not planning implementing the "hook" idea.
3. N/A, we're not implementing this API.
4. As hinted to above, our design decision boiled down to "it's up to the
application to only store simple data structures in sessions." See the
changes to `contrib.messages` for an example.
5. Sessions will be dropped (the release notes for 1.6 and 1.5.3 will
mention this). `SessionBase.decode` catches deserialization exceptions and
returns an empty session.
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:5>
Django
----------------------------------+------------------------------------
Reporter: gwahl@… | Owner: timo
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Changes (by Tim Graham <timograham@…>):
* status: assigned => closed
* resolution: => fixed
Comment:
In [changeset:"b0ce6fe656873825271bacb55e55474fc346c1c6"]:
{{{
#!CommitTicketReference repository=""
revision="b0ce6fe656873825271bacb55e55474fc346c1c6"
Fixed #20922 -- Allowed customizing the serializer used by
contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.
Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for
reviews.
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:6>
Django
----------------------------------+------------------------------------
Reporter: gwahl@… | Owner: timo
Type: New feature | Status: closed
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"616a4d385a79d6809b618dcc8bcbda05b032d5fc"]:
{{{
#!CommitTicketReference repository=""
revision="616a4d385a79d6809b618dcc8bcbda05b032d5fc"
[1.5.x] Fixed #20922 -- Allowed customizing the serializer used by
contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.
Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for
reviews.
Backport of b0ce6fe656 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:7>
Django
----------------------------------+------------------------------------
Reporter: gwahl@… | Owner: timo
Type: New feature | Status: closed
Component: contrib.sessions | Version: 1.5
Severity: Release blocker | Resolution: fixed
Keywords: | Triage Stage: Accepted
Has patch: 1 | Needs documentation: 0
Easy pickings: 0 | UI/UX: 0
Comment (by Tim Graham <timograham@…>):
In [changeset:"5f061986b9903b335e4bfe41cf172d710604d5cb"]:
{{{
#!CommitTicketReference repository=""
revision="5f061986b9903b335e4bfe41cf172d710604d5cb"
[1.6.x] Fixed #20922 -- Allowed customizing the serializer used by
contrib.sessions
Added settings.SESSION_SERIALIZER which is the import path of a serializer
to use for sessions.
Thanks apollo13, carljm, shaib, akaariai, charettes, and dstufft for
reviews.
Backport of b0ce6fe656 from master
}}}
--
Ticket URL: <https://code.djangoproject.com/ticket/20922#comment:8>